Why Patching Isn’t Enough

Conventional wisdom in enterprise security dictates that implementing a regular patch management program is essential to preventing desktop exploits. In this post, I show by example video why current malware exploits defeat most patch management strategies.

Patch Management

If you talk to an enterprise Chief Information Security Officer (CISO), it won’t be very long before you hear terms like patch management, configuration control, compliance, continuous monitoring, and metrics. The reason is security has become a process that is to be managed. And what better way to manage than to have a list of items that can be regularly checked, a process to hold people accountable, and even better – grades to rate organizations.

What often gets lost in the focus on process is whether the process itself is effective in thwarting the threat it is intended to thwart. Conventional wisdom is that if you follow the process, you should be fine — at least your scores (metrics) will show you are fine. You can even draw graphs that show how well you have implemented patches across your enterprise (compliance with the process) and convince yourself and your management that you are secure.

The reality of the situation is that your graphs and scores only tell you how well you’ve followed your process, not necessarily whether you are stopping exploits and infections. Unfortunately, we don’t have ground truth to tell us how well the process is actually working, but there are indicators that are proxies for ground truth including reported security incidents, known infections, machine rebuild frequency, and help desk calls.

Today’s Enterprise Security Regime

If you look at enterprise security today, the security regime for preventing exploits and intrusions is pretty much like this:

Firewall/web gateway/filter between enterprise network and the Internet

This security regime was developed over a decade ago at a time when the threat environment was different. It’s largely designed to keep intruders from breaking into your system. I call it the castle-and-moat approach to security. It’s necessary, but not sufficient.

Today, cyber intruders don’t have to break into your system. Instead they are invited in by your users. When this happens, your firewall is useless. Requested content is let through by the firewall. Web gateways block known bad sites, but now most users get infected from sites they trust because Web 2.0 and advertising let untrusted users post content to popular and legitimate web sites. And as discussed many times in this blog, anti-virus, IDS/IPS systems are largely ineffective because they detect only threats they know about in an environment where the threats change faster than these programs can be updated.

The last sacred cow is patch management and monitoring of security controls. Again, this is a necessary practice, but not sufficient to counter the threat as we’ll soon see.

Exploiting Trusted Relationships

In a recent interview for episode #51 of the Silver Bullet Security podcast, Gary McGraw asked me what will be the next big application to be exploited. The context is last year Adobe Reader exploits superceded browser (Internet Explorer) exploits and has become the go-to application to exploit. So what’s next?

Instead of giving him another application, I told him the next big class of attacks will exploit users’ trusted relationships and prey on their emotions. These types of exploits don’t necessarily need a vulnerability in an application to succeed. The attacks only need to get users to click on links and dialog boxes by leveraging trusted relationships while appealing to basic emotions such as fear and interest. This type of exploit is highly effective in bypassing the security safeguards of fully patched and configured software by getting users to run the exploits themselves.

In the Web 2.0 world, we’ve established trusted networks on Facebook, LinkedIn, Twitter, and other online social networks. Almost by default, we assume when we get a tweet with a shortened URL from someone you are following, it can be trusted, not realizing that a worm could have posted the tweet for that tweeter. Likewise for links that are shared on Facebook, LinkedIn, Digg, Reddit, etc. Applications such as IM clients have a built-in social network of “buddies”. When you get an attachment or link from a buddy, you trust it.

Perhaps more powerful is simply appealing to desire or the bizarre. For example, Graham Cluley’s blog post on a Facebook click-jacking wormillustrates this well. It’s easy to see how many people would click on links and dialog boxes which install malware on users’ computers in their haste to see the video.

Video of an Exploit

Circling back to the original premise — why patching isn’t enough – this class of exploit that takes advantage of users’ desires, fears, and trusted relationships often does not need a vulnerability in software to infect the machine. In other words, even with fully patched software, the user will still infect his machine. In fact, going back to the current security regime, most exploits today will sail right through.

Let’s illustrate by example. Below is a video of an email I got from a trusted source — myself. It appeals to my interest in the World Cup promising to show an exciting video of a goal by the US against Slovenia.

Warning: In the video I’m visiting a web site in Internet Explorer running in Invincea Browser Protection, so I’m actually protected from infecting my desktop. If you can read the link in the video, please don’t try to visit that link at home — unless you are running Invincea Browser Protection.

When I click on the link, notice what happens. It appears my machine is infected. And fortunately my Windows anti-virus engine catches it. Well not quite. It turns out this is a fairly convincing video that is loaded from the web site. Nonetheless, it isn’t hard to imagine a user clicking through the dialog boxes like I do in the video to remove the viruses. This type of attack appeals to our fear and the need for quick resolution by clicking through boxes.

Notice that the actual infection occurs after the user clicks through the dialog boxes. Invincea Browser Protection detects the infection because the virtual environment that the browser runs in gets corrupted. The browser virtual machine is then restored back to its pristine state and the infection is eliminated. Most users, however, will get infected in this case, and more often than not, their firewall and web gateway will let the infection through, the IDS/IPS won’t blink at the attack, and the anti-virus client won’t know this particular variant of a fake anti-virus infection.